Valley Anesthesiology and Pain Consultants (“VAPC”), a physician group of more than 200 anesthesiologists and pain management specialists with several locations near Phoenix, Arizona, began notifying patients on August 11, 2016, of a potential data breach involving protected health information (“PHI”), despite the fact their retained forensic consultant found no evidence that the information on the computer system was accessed. However, the consultant was unable to definitively rule that out after investigation, and it did confirm that an individual gained access to a system containing PHI. The physician group elected to take the proactive route of notifying affected individuals. The forensic firm was apparently called in shortly after VAPC learned on June 13, 2016, that a third party may have gained unauthorized access to VAPC’s computer system on March 30, 2016, including records of 882,590 current and former patients, employees and providers.

On its website, VAPC says they value their relationship with patients and so decided to mail the notification letters. Law enforcement was also advised, and a dedicated call center has been set up to answer patients’ questions. Patients have been advised to review the statements they receive from their health insurer and to advise the insurer of any unusual activity. The computer system accessed is believed to have contained patient names, limited clinical information, name of health insurer, insurance identification numbers, and in some instances, social security numbers (“SSN”). No patient financial information was included in the computer systems. For providers, the information included credentialing information such as names, dates of birth, SSN, professional license numbers, DEA (Drug Enforcement Agency) and NPI (National Provider Identifier) numbers, as well as bank account information and potentially other financial information. The employee records on the system included names, dates of birth, addresses, SSNs, bank account information and financial information. Individuals that had their SSN or Medicare number exposed are being offered credit monitoring and identity theft protection services.

The circumstances of the incident illustrate the quandary regarding the presumption that it is a reportable breach if you can’t prove there was no access to the information, and the interplay between the HIPAA Security Rule and the Privacy Rule. Here, it was apparently established the system’s security was breached, but unclear whether personal health information was accessed once the unauthorized individual was in the system.

On July 11, 2016, the Office for Civil Rights (“OCR”) published guidelines for ransomware attack prevention and recovery, including the role HIPAA has in assisting covered entities and business associates to prevent and recover from such attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack. According to the OCR report, there have been 4,000 daily ransomware attacks since early 2016, up 300% from 2015. Earlier this week a healthcare IT Security Consultant told me the chatter he hears is that the hackers out there are working on stronger, more aggressive, more deadly hacks to unleash, and he fears a hacking storm a brewin’. Time to get serious and batten down the hatches, folks!

The OCR report describes what a ransomware attack is, and explains that maintaining strict HIPAA Security Rule compliance can help prevent the introduction of malware, including ransomware. Some of the required security measures discussed include:

Implementing a security management process, which includes conducting a risk analysis and taking steps to mitigate or remediate identified threats and vulnerabilities;

Implementing processes to guard against and detect malicious software;

Training users on malicious software protection; and

Implementing access controls.

Since ransomware gets into your system and then ties up your data, denying you access to your data (usually through encryption), and then directs you to pay a ransom to the hacker in order to receive a decryption key, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Again, HIPAA compliance protects entities because the Security Rule requires covered entities and business associates to implement a data backup plan as part of maintaining an overall contingency plan, which includes periodic testing of the plan to be sure it works.

The presence of ransomware – or any malware – is considered a security incident and triggers the need to initiate security incident response and reporting procedures. Based upon an analysis of the investigation results, breach notification may be required. Additionally, if there is an impermissible disclosure of PHI in violation of the privacy rule there is a presumed breach which may trigger notification. Whether or not the presence of ransomware would be a breach under HIPAA Rules is thus fact specific. However, unless the entity demonstrates there is a “…low probability that the PHI has been compromised,” a breach of PHI is presumed to have occurred and the entity must comply with the applicable breach notification provisions.

The Office of Civil Rights for the U.S. Department of Health and Human Services (“OCR”) has launched a new audit initiative to make sure that health care providers are complying with HIPAA. Concerning its initiative, OCR says, “OCR’s audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits.” Providers would be well advised to ensure that they are ready for a HIPAA audit and are in full compliance with the Privacy Rule.

The Office of the National Coordinator for Health Information Technology (ONC) recently issued an updated Guide to Privacy and Security of Electronic Health Information. The guide is a resource that can help health care providers comply with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements and the HIPAA Privacy, Security, and Breach Notification Rules.

The guide provides a summary of key information in the following areas:

Understanding HIPAA rules;

Patients’ Health Information Rights;

Electronic Health Records, the HIPAA Security Rules, and Cybersecurity; and

The guide walks health care providers through the key components of each of these subject areas.

In addition, the guide provides tools for health care providers who want to implement a security management process or provide notification about a HIPAA breach. The guide has a sample seven-step approach that can be used to implement a security management process, including help addressing the security requirement contained in the Meaningful Use for the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs. Finally, the guide provides information about what to do if there is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information. The information includes a risk assessment process for breaches, reporting breaches, and government investigation and enforcement of potential HIPAA violations.

On September 17, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) issued guidance to assist covered entities and business associates in understanding their obligations under the privacy rule. The guidance follows the U.S. Supreme Court’s June 2013 decision in United States v. Windsor, which held that Section 3 of the Defense of Marriage Act (DOMA) – a provision that said federal law recognizes only opposite-sex marriages – is unconstitutional. As a result of the Supreme Court’s decision, covered entities and business associates must consider their privacy rule obligations regarding lawfully married same-sex spouses and same-sex marriage.

OCR’s guidance clarifies the terms “spouse,” “marriage,” and “family member” as these terms are used in 45 C.F.R. § 160.103. Based on the Supreme Court’s decision, OCR states tha

t the term “spouse” includes individuals who are in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction (as long as a U.S. jurisdiction would recognize a marriage performed in a foreign jurisdiction). OCR clarifies that the term “marriage” includes same-sex and opposite-sex marriages, and “family member” includes dependents of those marriages. Finally, OCR states that these terms apply to individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.

These definitions are relevant to the application of at least two sections of the Health Insurance Portability and Accountability Act (HIPAA) privacy rule. The definition of “family member” is relevant to the application of 45 C.F.R. § 164.510(b), which relates to sharing an individual’s protected health information with a family member. According to OCR, legally married same-sex spouses, regardless of where they live, are family members for the purposes of applying this provision. The definition of “family member” also applies to 45 C.F.R. § 164.502(a)(5)(i), relating to use and disclosure of genetic information for underwriting purposes.

OCR indicates that it plans to issue additional clarifications through guidance or to initiate rulemaking to address same-sex spouses as personal representatives under the privacy rule.

Covered entities and business associates should provide training on this guidance, as well as update policies and procedures.

Address

About Gordon & Rees

Gordon & Rees is a national litigation and business transactions firm with more than 800 attorneys across the United States. We deliver maximum value to our clients by combining the resources, size, and scale of a full-service national firm with the responsiveness, flexibility, and local knowledge of a regional firm.